Use the Authentication page to configure password, sign-on, and group password policies. For mobile and wifi policies, navigate to the Devices menu. Some of these options are not visible if they are not enabled for your org.
Policies are the first line of defense in keeping an organization secure. Okta policies allow control of various elements of security, including end-user passwords, the authentication challenges a user receives, the devices they can use, and the places they use them from. A policy can be based on a variety of factors, such as location, group definitions, and authentication type.
Note: If this feature is not enabled for your org, basic password management settings are located in here. For more information, see Configuring an Organization-wide Password Policy.
Group password policies allow you to define password policies and associated rules to enforce password settings on the group and authentication-provider level. You can create multiple policies with more or less restrictive rules and apply them to different groups. Use policies to enforce the use of strong passwords to better protect your organization's assets. Password policies apply only to Okta-managed users; passwords for Active Directory and LDAP-mastered users are managed by their directory service.
When provisioning is enabled, some applications, such as Microsoft Office 365 and Google G Suite, check an Okta password policy when provisioning a user to ensure that the Okta policy meets the application's password requirements. It is sometimes possible for a user's Okta password to meet these requirements while the password policy itself does not, which results in an error during the provisioning attempt. This also applies to possible password policy gaps between Active Directory or LDAP and Okta. If you observe provisioning errors after configuring or editing an Okta password policy, ensure that it meets the application's requirements, typically, eight characters with an upper and lower case character and either a symbol or number.
Note: The default password policy is applied when a user is created. Group assignment on password policy is not evaluated when user is created.
Password Policy Evaluation
There are three general guidelines for password policy evaluation.
This is an Early Access feature. To enable it, please contact Okta Support.
Note: If the Early Access feature Group Password Policy is enabled for your org, password management settings are located in Security > Policies (see Configuring Group Password Policies).
Configure a password policy for your org to manage the complexity and longevity of your end users' Okta password. Unless the Early Access feature Group Password Policy is enabled for your org, Okta password policy only applies to Okta-managed users. Passwords for Active Directory and LDAP delegated authentication users are managed by their directory service.
Password Policy Types
All Okta-mastered users are subject to the Default Policy unless another policy applies. The Default Policy cannot be deactivated or deleted, and always holds the lowest ranking within the policy list.
A Legacy Policy is automatically created for Okta-mastered users. In previous versions of the platform, password policy settings were located on the Security > General page. For orgs that were created before Group Password Policy was enabled, the Legacy policy and associated Legacy rules are preserved. Existing password policy settings for an org are copied to the Legacy Policy. All Legacy policy and rule settings are configurable.
Active Directory Policy
If you currently have one or more Active Directory (AD) integrations, an AD policy is automatically created for you. You can customize the elements of the policy and its rules.
For new policies
Sign on policy can specify actions to take, such as allowing access, prompting for a challenge, and setting the time before prompting for another challenge. You can specify the order in which policies are executed and add any number of policies. If a policy in the list does not apply to the user trying to sign in, the system moves to the next policy.
You can specify any number of policies and the order in which they are executed. There is one required policy named Default. By definition, the default policy applies to all users.
In addition to the default policy, which you cannot delete, there is another policy named Legacy that is present only if you have already configured MFA. This policy reflects the MFA settings that were in place when you enabled your sign-on policy, and ensures that no changes in MFA behavior occur unless you modify your policy. If needed, you can delete it.
When a policy is evaluated, the conditions in the policy are combined with the conditions in the associated rules. Rules are applied when all these conditions are met.
Note: A policy with no rules cannot be applied.
Policies can contain multiple rules, and the order of the rules determines their behavior.
Understanding Policy Evaluation
Okta amalgamates the conditions of a policy and the conditions of a rule to determine whether a policy is applied to a particular user. Policies generally consist of large elements that can be applied to many users, such as a minimum password length. Rules consist of conditions such as place and circumstance, like geographical location or whether the user is on or off a company network. A policy that contains no rules cannot be applied.
For example, if you create a policy which you assign to the group “Admins”, you would create conditions special to the needs of administrators. The policy might contain a minimum password length of 12 to restrict password hacking. An applied rule to the policy might be one that allows for a self-service unlock only under certain conditions. One condition might be whether a particular admin is off or on your company network.
The Prompt for Factor check-box is not active unless at least one factor has been chosen from the Multifactor page.
To access the page and choose one or more factors, navigate to Security > Multifactor.
Note: If a specific factor is specified in a policy, that factor cannot be removed until it is removed from all the policies that require it.
If MFA is enabled for your org, you are required to specify at least one factor. If a factor is not specified, an error message appears on the Multifactor page.
Creating a Sign-on Policy
To create a Sign-on Policy, click Add New Okta Sign-on Policy. In the screen that opens, enter any desired policy name and description.
You can specify that a policy can only be applied to certain groups. To assign a policy to groups, enter the desired group names in the Assign to Groups field. The group names must already exist before assigning them to a policy. When done, click Create Policy.
When a policy is evaluated, the conditions in the policy are combined with the conditions in the rule. The rule is applied when all these conditions are met. A policy with no rule cannot be applied.
Click Add Rule to add a rule to a policy. Complete the following fields as needed.
Rule name: Add a descriptive name for the rule you want to create.
Exclude users: If needed, you can exclude individual users of a group from the rule.
If a user is located...: Use the drop-down menu to assign location parameters. You can specify what kind of location will prompt authentication.
Manage configuration for Network: Click the Manage Configurations for Network link to access your gateway settings that enable your choice of access. For details on using this option, see the Public Gateway IPs section of the Using the Okta Security Page.
And Authenticates via...: Use this drop-down menu to specify the required means of authentication.
And Behavior is: Add any defined security behaviors.
Then Access is...: Based on the authentication form of the previous drop-down menu, use this one to establish whether the condition allows or denies access.
Prompt for Factor: Appears as available only when at least one factor type is enabled.
Selecting this box also displays radio buttons that determine whether the prompt is triggered per a device, at every sign-on, or per a session time that you specify. Choosing Every Time does not allow end users to control MFA prompts. For details on the user experience for these options, see End User Control of MFA Prompts.
Manage configuration for Multifactor Authentication: Click Manage Configurations for Multifactor Authentication for quick access to the Authentication page and the Multifactor tab. See Configuring Multifactor Authentication for details about each of the authentication options.
Manage configuration for Multifactor Authentication: Click the Manage Configurations for Multifactor Authentication link for quick access to the Authentication page and the Multifactor tab. See Configuring Multifactor Authentication for details about each of the authentication options.
Select the box to display radio buttons that determine whether the prompt is triggered per a device, at every sign-on, or per a session time that you specify. When specifying per session, note that sessions have a default lifetime as configured, but sessions always end whenever users sign out of their Okta session.
Factor Lifetime: Use this drop-down menu to specify how much time must elapse before the user is challenged for MFA. The default lifetime is 15 minutes, and the maximum period is 6 months. Setting a factor lifetime is a way for end users to sign out for the amount of time noted in the Factor Lifetime and not have to authenticate again with MFA at the next sign in. End users must check a box to confirm that the setting should be applied. An example is Do not challenge me on this device for the next 15 minutes. In the case, after signing out, there is no MFA prompt if the new sign in is within 15 minutes of the last sign in with MFA. If users do not check the box, they are always prompted for MFA. The time since the last sign in is noted in the bottom of the Dashboard; however, end users must refresh the screen to see the updated value.
And Session Lifetime is…: Use this drop-down menu to specify the maximum idle time before an authentication prompt is triggered. The maximum allowed time for this option is 90 days. This is not the total connect time. The default session lifetime is 2 hours. This is idle time before users see a countdown timer at the 5-minute mark of remaining session time.
Note: You can set the maximum session lifetime number through the Okta API. If you previously set this number with the API, you cannot exceed that maximum here in the Okta app. Setting a number over the API maximum will result in an error.
Global Sign-on Policy Actions
Individual Sign-on Policy Actions
You can perform the following actions that affect only the policy that is selected. Click the policy name in the list to select it—the selected policy displays in blue.
If you check the Prompt for Factor checkbox, as shown below, three options appear that affect how end users are prompted for MFA in a given session.
Two of these options allow end-users to control these prompts while one disallows it.